vPro Setup and Configuration for the dc7800p Business PC with Intel vPro Processor Technology
Table Of Contents
- vPro Setup and Configuration for the dc7800p Business PC with Intel vPro Processor Technology
- Introduction
- AMT Setup and Configuration
- AMT System Phases
- SMB Mode - AMT Setup and Configuration with MEBx
- SMB Mode - AMT Setup and Configuration Steps
- 1. Press Ctrl+P during POST to enter Manageability Engine BIOS Extension (MEBx) Setup. You can dis play this option only during POST if set in F10-Setup.
- 2. Type the default password, which is admin. Passwords are case-sensitive.
- 3. Change the MEBx password. The new password must meet the Strong Password criteria defined in the Password Guidelines Section. Type the password twice for verification.
- 4. Select the Intel ME Platform Configuration. A window displays indicating that the system resets after configuration.
- 5. Select Y. ME platform configuration allows IT personnel to configure ME features such as AMT/ASF selection, power options, firmware update capabilities, and so on.
- 6. Select Intel ME State Control, and then select Enabled.
- 7. Select Intel ME Firmware Local Update Qualifier.
- 8. Select Intel ME Features Control.
- 9. Select Intel ME Power Control.
- 10. Return to previous menu to exit the MEBx Setup and save ME configuration. The system will display an Intel ME Configuration Complete message and reboot. After the ME Configuration is complete, you can configure the AMT on the next boot.
- 11. Press Ctrl-P during POST to enter MEBx Setup again.
- 12. Type the MEBx password.
- 13. Select Intel AMT Configuration.
- 14. Select Host Name, and then type a host name.
- 15. Select TCP/IP.
- 16. Select Provision Model.
- 17. Skip Un-Provision. This option returns the system to factory defaults.
- 18. Skip VLAN.
- 19. Select SOL/IDE-R.
- 20. Select Secure Firmware Update, and then select Enabled.
- 21. Skip Set PRTC.
- 22. Select Idle Timeout.
- 23. Select Return to previous menu.
- 24. Select Exit, and then select Y to exit the MEBx Setup and save settings.
- Intel AMT WebGUI
- Connecting with the Intel AMT WebGUI - SMB Example
- 1. Power on an AMT system that has completed AMT Setup and Configuration.
- 2. Execute a Web browser from a separate system - a Management computer on the same subnet as the AMT computer.
- 3. Connect to the IP address specified in the MEBx and port of the AMT system.
- 4. Type the user name and password. The default username is admin and the password is what you set during AMT Setup in the MEBx.
- 5. Review system information and/or make any necessary changes.
- 6. Select Exit.
- Connecting with the Intel AMT WebGUI - SMB Example
- Setup and Configuration Server
- 1. The AMT system sends out a “hello” message that includes the PSK over the network.
- 2. The SCS receives the “hello” message and verifies the PSK.
- 3. If the verification passes, then the SCS begins setup and configuration.
- 4. Once setup and configuration completes, the original PSK is deleted from the AMT client system, and a new PSK is given.
- Setup and Configuration Server Availability
- Enterprise Mode Setup and Configuration
- Enterprise Mode - AMT Setup and Configuration Steps
- 1. Access the MEBx by pressing Ctrl-P during POST.
- 2. Type the default password, which is admin.
- 3. Change the MEBx password, following strong password guidelines.
- 4. Select Intel ME Platform Configuration.
- 5. In Intel ME State Control, select Enabled.
- 6. In Intel ME Firmware Local Update Qualifier, select Always Open.
- 7. Select Intel ME Features Control.
- 8. Select Intel ME Power Control.
- 9. Select Exit and save. The system displays the Intel ME Configuration Complete message, and then reboots.
- 10. Press Ctrl+P during POST to enter MEBx Setup again.
- 11. Type the MEBx password.
- 12. Select Intel AMT Configuration. The Intel AMT Configuration screen includes numerous options, which are available by scrolling down the menu.
- 13. Select Host Name, and then type a host name
- 14. Select TCP/IP.
- 15. Select Provision Model.
- 16. Select Setup and Configuration.
- 17. Skip Un-Provision. This option returns the system to factory defaults. See the Return to Default sec tion for more information about unprovisioning.
- 18. Skip VLAN.
- 19. Select SOL/IDE-R, and then select Y.
- 20. Select Remote Firmware Update, and then select Enabled.
- 21. Skip Set PRTC.
- 22. Select Idle Timeout.
- 23. Select Return to previous menu.
- 24. Select Exit, and then select Y to exit the MEBx Setup and save settings. The system displays an Intel ME Configuration Complete message (only once) and reboots.
- 25. Turn off the system and remove power. The system is now in In-Setup Mode and is ready for deploy ment.
- 26. Plug the system into a power source and connect the network. Use the integrated Intel 82566DM NIC. Intel AMT does not work with any other NIC solution.
- Enterprise Mode - AMT Setup and Configuration Steps
- Provisioning Methods
- USB Drive Key Set Up and Configuration
- 1. An IT technician inserts a USB drive key into a system with a management console.
- 2. The technician request local setup and configuration records from an S&CS through the console.
- 3. The S&CS:
- 4. The management console writes the password, PID, and PPS sets to a Setup.bin file in the USB drive key.
- 5. The technician takes the USB drive key to the staging area where new AMT platforms are located. The technician:
- 6. The system BIOS detects the USB drive key.
- 7. The system BIOS displays a message that automatic setup and configuration will occur.
- 8. MEBx processes the record.
- 9. MEBx writes a completion message to display.
- 10. The IT technician powers down the system. The system is now in In-Setup phase and is ready to be dis tributed to users in an Enterprise mode environment.
- 11. Repeat Step 5 if necessary (more than one system).
- USB Drive Key Requirements
- Remote Configuration
- Remote Configuration: Bare-Metal vs. Delayed
- Remote Configuration Time-outs in HP Systems
- Remote Configuration Prerequisites
- MEBx and Hashes
- 1. Press Ctrl+P for the MEBx, and then type the MEBx password.
- 2. Select Intel AMT Configuration.
- 3. Select Setup and Configuration.
- 4. Select TLS PKI.
- 1. Select Remote Configuration Enable/Disable.
- 2. Skip Manage Certificate Hashes.
- 3. Set FQDN. This option allows the Fully Qualified Domain Name (FQDN) of the SCS to be entered.
- 4. Set PKI DNS Suffix. This option allows you to enter the PKI DNS Suffix of the SCS.
- 5. Select Return to the Previous Menu.
- List of Supported CA Certificates
- Return to Default
- Full Return to Factory Defaults
- Appendix A: Frequently Asked Questions
- Appendix B: Power / Sleep / Global States Explained
- Appendix C: Wake-On-ME Explained
- AMT Setup and Configuration

26
RCFG relies on several new AMT features:
• Embedded Hash Root Certificates
• Self Signed Certificate
• One-Time Password
• Timed network access
One or more hash root certificates are embedded into the AMT firmware. These certificates are integrated
into the Hello messages sent by the AMT system to the SCS. The SCS must have compatible certificates to
authenticate the AMT system.
A self signed certificate can be generated to create a secure connection between the AMT system and the
SCS. This certificate is used for encryption, not authentication. The SCS will use the public key from the
self signed certificate to encrypt the session key it generates and sends it to the AMT system. The AMT sys-
tem can decrypt SCS session key with its private key.
The One-Time Password (OTP) is created during provisioning. This password is used with the remote con-
sole to initiate RCFG and it is sent to both the AMT system and the SCS. This password is used to improve
security.
The network interface used to send out Hello messages is functional for a limited amount of time. The
amount of time is configurable by the OEM.
Remote Configuration: Bare-Metal vs. Delayed
There are two ways to implement Remote Configuration: Bare-Metal and Delayed.
Bare-Metal, as the name implies, is remote configuration of the AMT system without an operating system;
in other words, only the hardware. In this implementation, Setup and Configuration is started (Hello mes-
sage broadcast) as soon as the ME is active and the system is connected to a network. This means that
the AMT system is configured without the use of a local agent and does not use One Time Password (OTP)
authentication.
Bare-Metal RCFG is only available for AMT 3.0 on the dc7800p HP Compaq Business PC. It is not avail-
able for AMT 2.2 on the dc7700p HP Compaq Business PC.
Delayed, as the name implies, is remote configuration at a later time when an operating system has been
installed on the AMT system. In this implementation, Setup and Configuration is started when a remote
console application initiates the process by communicating with the ME through the HECI driver. This
requires a functional OS and agent to be installed on the AMT system. OTP authentication can be used; it
is optional. The remote console provides the OTP to the AMT system and to the SCS.
Consult your ISV management console provider for details on operating system agents for Delayed remote
configuration support.
Delayed RCFG is available for both AMT 3.0 on the dc7800 HP Compaq Business PC and AMT 2.2 on
the dc7700p HP Compaq Business PC.